How to Prepare for a CMMC / SPRS Self-Assessment
A self-assessment that holds up at the real assessment follows a specific order. Here's the sequence — scope first, score last — with the prerequisites that trip most contractors.
1. Define your scope first
Scope is the set of assets assessed against the requirements, and it must be defined before you assess. Under 32 CFR 170.19 you categorize each asset — CUI assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope — because the category determines which requirements apply to it. Document everything in an asset inventory, the SSP, and a network diagram of the assessment scope.
2. Confirm your System Security Plan
Requirement 3.12.4 — the SSP — is a prerequisite, not a scored line item. Without it the assessment can't be completed. Make sure your SSP reflects the scope you just defined before you go further.
3. Assess at the objective level
Each of the 110 requirements decomposes into lettered assessment objectives under NIST SP 800-171A — 319 objectives in total. A requirement is Met only when all of its applicable objectives are satisfied; if any objective is Not Met, the requirement is Not Met; an objective that is N/A is treated as Met. Assessing at the objective level is what makes the MFA and FIPS partial-credit cases fall out correctly and is the evidence an assessor will look for.
4. Build your POA&M and check eligibility
For every gap, write a plan of action with an owner and a milestone date. Then check eligibility (32 CFR 170.21): a Conditional status needs a score of at least 88, no POA&M item worth more than 1 point (except 3.13.11 at 3), and none of the six never-eligible requirements on the plan. A disqualifying gap means No CMMC Status regardless of score.
5. Affirm and enter your summary in SPRS
Every assessment is affirmed by an Affirming Official — a senior representative responsible for the organization's continuing compliance — who needs a PIEE account with the SPRS Cyber Vendor User role. You then enter only the summary into SPRS: the score, the assessment date, your scope, and the POA&M completion date. SPRS never stores your per-requirement answers.
If the person who prepared the assessment isn't the AO, the record is transferred to the AO by email ('Transfer to AO'). The AO's identity is pulled from their PIEE profile and can't be edited in SPRS, and a CMMC Unique Identifier (UID) is assigned only after the assessment is affirmed.
Key takeaways
- Scope first (32 CFR 170.19) — it gates which requirements apply.
- No SSP (3.12.4) means the assessment can't be completed.
- Assess all 319 objectives; any Not Met objective makes the requirement Not Met.
- Check POA&M eligibility, not just the number.
- Affirm via an AO, then enter only the summary in SPRS.
Know your score before you submit
Run a full 110-requirement self-assessment free — no account required to see your score.
Start free assessmentSources
- 32 CFR Part 170 (CMMC Program rule)
- 32 CFR 170.24 (scoring methodology)
- NIST SP 800-171A (assessment objectives)
- 32 CFR 170.22 (affirmation)
SentryNexus is a preparation and self-assessment tool. It does not connect to or submit anything to SPRS, and it is informational support only — not legal or compliance certification advice.